RFID with
Bio-Smart Card in Linux - In this paper, we describe the integration
of fingerprint template and RF smart card for clustered network, which is
designed on Linux platform and Open source technology to obtain biometrics
security. Combination of smart card and biometrics has achieved in two step
authentication where smart card authentication is based on a Personal Identification
Number (PIN) and the card holder is authenticated using the biometrics template
stored in the smart card that is based on the fingerprint verification. The
fingerprint verification has to be executed on central host server for security
purposes. Protocol designed allows controlling entire parameters of smart
security controller like PIN options, Reader delay, real-time clock, alarm
option and cardholder access conditions.
pgp Key
Signing Observations: Overlooked Social and Technical Considerations
- While there are several sources of technical information on using pgp in
general, and key signing in particular, this article emphasizes social aspects
of key signing that are too often ignored, misleading or incorrect in the
technical literature. There are also technical issues pointed out where I
believe other documentation to be lacking. It is important to acknowledge
and address social aspects in a system such as pgp, because the weakest link
in the system is the human that is using it. The algorithms, protocols and
applications used as part of a pgp system are relatively difficult to compromise
or 'break', but the human user can often be easily fooled. Since the human
is the weak link in this chain, attention must be paid to actions and decisions
of that human; users must be aware of the pitfalls and know how to avoid them.
Bulletproof
Virus Protection - Protect your network from costly security
breaches with Guardian Digital’s multi-faceted security applications.
More then just an email firewall, on demand and scheduled scanning detects
and disinfects viruses found on the network. Click
to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.
Earn an NSA recognized IA
Masters Online - The NSA has designated Norwich University a center
of Academic Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched consulting
experience. Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
Protect your home and business networks with the free, community version of
EnGarde Secure Linux. Don't rely only on a firewall to protect your network,
because firewalls can be bypassed. EnGarde Secure Linux is a security-focused
Linux distribution made to protect your users and their data.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
Crypto Goes Mainstream
19th, October, 2006
Richard Moulds explains how cryptography is converging with other security technologies, such as identity management systems and strong authentication, to lay a foundation for data and content security.
With the distinction between inside and outside disappearing and remote users demanding access from anywhere and at anytime, organisations are turning to a more data-centric approach to security. And fundamental to this is the use of encryption.
While cryptography has long been used to protect data in motion, it is now being applied to protect data at rest, in databases, file systems and storage devices. In addition, cryptography is expanding beyond privacy enforcement to establish the integrity of data and documents and to ensure the security of audit information, easing compliance.
The purpose of the courses on this site are to educate anyone responsible for
protecting information assets in the essentials of Information Security. The
courses offered will continue to grow. So visit often.
The courses are free. We only ask that you consider making a donation to the
cause so we can continue providing free security education services.
Portal has a lot of features, including voting system, free IT (security too) articles and more. If you want to promote your distribution, you can register it and submit news which appear on the main site automatically. The readers can also submit news without login - it requires moderator's acceptance. Top Ten charts will be published in IT magazines (PHP Solutions, Linux+, en.hakin9.org, SDJ) every month. If you're looking for Linux that fits you perfectly - you'll find it on DistroRankings.com!
Over the last several months, I've done my best to seek out every podcast related to computer security concepts. I started with a list of just under fifty podcasts and gradually eliminated the ones that consistently failed to offer interesting ideas or were simply too watered down. I'm left the following list of podcasts that I feel are worth listening to. Since each podcast certainly isn't for everyone, I've included some details to make it easier to pick that ones that would most likely interest you the most. This list is in a blatantly-subjective order. If your podcast hasn't been included, contact me and I'll let you know if it was because I couldn't find it on my own or because I thought it sucked. If you have something to add, please leave a comment and I'll update my list.
On October 4th one of our readers sent in a very worrying analysis of what appeared to be "traffic modification" (in his words) on the part of the Tor network.
The Tor ("The Onion Router") network is an anonymizing peer-to-peer network of routers on the Internet which uses various techniques to bounce traffic around the Internet in such a way that traffic analysis becomes difficult if not impossible to perform. Tor is a perfect example of a dual-use technology: it can be used to avoid government-imposed Internet censorship or to protect the identity of a corporate whistleblower but at the same time it is sadly ideal for various nefarious uses.
The information security officer for a network of healthcare centers in New York found an employee sending confidential payroll information to a recruiter. A California-based semiconductor manufacturing technology provider caught a worker e-mailing PowerPoint slides detailing product plans to a former colleague at a competitor to show off the "cool things" he was working on. A network administrator for a school district in Indiana nabbed a student trying to finagle school lunch account information stored on an off-limits server.
Network Security – Not With a Peer-to-Peer Network!
19th, October, 2006
Most small business networks grow and evolve as the business grows. In one way, this is good. It shows the business is growing, becoming stronger. Unfortunately, from a network perspective, it can be a disaster in the making.
Most small business networks are setup in a peer-to-peer (P2P) format. In contrast, large corporate networks are setup in a domain format. What does this mean to you?
First, let us define the two network formats. In a P2P format every PC is responsible for its own security access. Basically, each PC is equal to every other PC in the network. These networks generally consist of less than ten computers and require a large amount of administrative overhead to function securely.
This time we will install a network protocol analyzer to watch the traffic on our LAN from initiating and connecting a SIP call.
The Wireshark open source project was formerly known as Ethereal. I used to work for a great company called Cybera as a programmer, and I was always fascinated by networking. I’d bug the network engineers for any information I could, and play around with Ethereal to try to understand what they were talking about.
If you’re working under windows, download the installer. For our Ubuntu or Debian friends, it’s available under the standard free apt archives.
Breach Security announced the release of the ModSecurity version 2.0 open source Web application firewall. ModSecurity version 2.0 provides greater flexibility, enhanced attack detection, and support for XML and Web Services. At the same time, Breach Security is releasing the ModSecurity Console for monitoring multiple sensors and ModSecurity Core Rules that together provide easy-to-deploy baseline Web application security.
I am a web application security specialist and have been referred to as a web application firewall guy. In truth, I have many diverse interests (most of them related to technology) but I tend to deal with only one at a time. We live in exciting times when there is so much to do; wherever you look there is room for improvement. My background is in software development and I have spent significant time architecting software systems. However, over the last couple of years I became focused exclusively on security. Today I am probably best known for my work on ModSecurity, which is an open source web application firewall, and my book, Apache Security, which was published by O'Reilly in 2005.
A security flaw in the binary NVidia graphics drivers used by many Linux systems could allow an attacker to compromise, through a malicious Web page, any computer using the company's driver, security firm Rapid7 stated on Monday. The NVidia Binary Graphics Driver for Linux remains vulnerable, the company said in an advisory. However, the flaw has been publicly reported and may have been known about as early as December 2004, prompting the company to report the issue publicly.
OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Solaris and Windows.
This new release comes with multiple features, including support for
Modsecurity logs, MS exchange, MS FTPD and Windows firewall logs. It
also includes a port to HP-UX and numerous bug fixes and new
features.
Malicious code is living on weeks after it has been removed from websites thanks to an unexpected culprit - cache servers. According to Finjan Software, which has just released its latest Web trends report, caching technology used by search engines, ISPs and large companies has been discovered to harbour certain kinds of malicious code even after the website that hosted it has been taken down. Such "infection-by-proxy" code can remain in caches for as long as two weeks, giving it a "life after death" at a time it would conventionally be assumed to have been neutralised.
Sometimes it's all in the packaging. Take McDonald's "Happy Meals," for example. You've got a burger, fries, and a drink. But wrap it in kid-friendly packaging, add a cheap plastic toy, and voila! You've got a whole new product line. In the application development world, much the same thing has happened in recent months, as a grab bag of Web development technologies such as JavaScript, XML, and some tried-and-true presentation technologies such as HTML and CSS were rebranded AJAX (Asynchronous JavaScript and XML).
Nothing really changed, but the new name gave developers and those of us who write about technology something to wrap our brain around that was more compelling than just saying, You can do cool new stuff developing Web-based clients using JavaScript and XML.
One in three people write down computer passwords, undermining their security, and companies should look to more advanced methods, including biometrics, to ensure their systems are safe, a new study shows.
A study released on Tuesday by global research firms Nucleus Research and KnowledgeStorm found companies' attempts to tighten IT security by regularly changing passwords and making them more complex by adding numbers as well as letters had no impact on security.
Staff still had a tendency to jot down passwords either on a piece of paper or in a text file on a PC or mobile device. "This is really a lot like mom and dad buying a great new security system for the house and junior leaving the combination under the door mat," said David O'Connell, senior analyst at Nucleus Research.
A complete overhaul of the way identity is verified on the Internet is the only way to stem the exponentially growing tide of online fraud, Internet privacy experts say.
Ontario's privacy commissioner and Microsoft executives held a joint news conference Wednesday in Toronto as part of a conference of the International Association of Privacy Professionals.
Increasingly sophisticated Internet scammers threaten to make the way people currently use the Internet obsolete, they warned.
What do you see as the biggest security threats today?
In IT security, the biggest "threat" has always been the end user. While IT security teams are fighting everyday to keep the data safe by isolating the network with latest security technology, end user will be the one that will "forget" an opened window! Today, users have become more and more powerful and their development skills are growing.
The increasing complexity of the client systems they require, as a result of their global distribution and heterogeneity, is in itself more dangerous than any single threat.
Spam Campaign Attempts To Phish MySpace Music Fans
16th, October, 2006
There is an aggressively distributed spam campaign that uses the MySpace name in an attempt to phish information from music lovers. The emails have been spammed out to hundreds of thousands of computer users around the globe in the last week, luring them into clicking on links to a website posing as an online music store.
Someday a stranger will read your e-mail, rummage through your instant messages without your permission or scan the Web sites you’ve visited — maybe even find out that you read this story. You might be spied in a lingerie store by a secret camera or traced using a computer chip in your car, your clothes or your skin. Perhaps someone will casually glance through your credit card purchases or cell phone bills, or a political consultant might select you for special attention based on personal data purchased from a vendor. In fact, it’s likely some of these things have already happened to you.
In the last year alone, nearly 10 million Americans became victims of identity theft, a crime that cost them approximately $5 billion total. It is the fastest growing crime in the United States, and if you're not careful, it could happen to you, or perhaps it already has. On average, it takes identity theft victims 12 months [PDF] to realize that they have been victimized. So what are the best ways to prevent identity theft? Firstly, you must understand what personal information of yours should be kept private. While some personal information is inevitably going to be made public, there are some items with high sensitivity that should never be made public.
Google is pushing full steam ahead with their office strategy, and their hope is to convince a lot of individuals and businesses to trust Google enough to store their documents on Google's servers instead of their own computers, or servers under their control.
The fact that unauthorized document access is a simple password guess or government "request" away already works against them. But the steady stream of minor security incidents we've seen (many very recently) can also hurt Google in the long run. Running applications for businesses is serious stuff, and Google needs to be diligent about security.
An examination of the e-voting database and its audit logs from the November 2004 general election in Alaska found that changes were made to thedatabase in the months after the votes were tallied, according to the state’s Democratic Party.
The party contends that a study of the electronic voting database, which it obtained a copy of last month after a long battle with the state, revealed that the database had been accessed as recently as this July.
The Defense Department is unlikely to have any instant messaging scandals similar to the one that embroiled Rep. Mark Foley (R-Fla.). In the armed forces, misuse of online chatting doesn't just run the risk of personal embarrassment; it’s an issue of national security. DOD has a strict IM policy consisting of constant monitoring, prevention of the use of unapproved programs and enforcement of strict discipline when abuses are reported. Army Chief Information Officer Lt. Gen. Steven Boutelle outlined for reporters how the service enforces that policy Oct. 11 at the Association for the U.S. Army conference in Washington, D.C.
A hacker broke into Google Inc.'s main official blog on Saturday and posted a false message saying that the company had decided to cancel a joint project with eBay Inc.
"Hackers aren't looking for fame anymore," says Yuval Ben-Itzhak, CTO of Israeli security firm Finjan. Unlike in earlier years, their fondest hope is no longer that their PC-crashing code prompts headlines and TV news coverage around the globe.
Instead, "Now they go and sell their vulnerabilities and spyware apps for money," Ben-Itzhak tells eSecurity Planet. He says hackers often solicit bids from various buyers of known vulnerabilities; security holes that reveal users' financial information can command top dollar.
Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.
